What would a person with your real name and your phone number do with that information that would in one way or another affect your life either positively or negatively? And do you consider disclosure of your name and phone number a violation of your privacy?
Well, this is a question that many still grapple with and really don’t see a risk in the disclosure of this information. Maybe the risk is not immediate, but the damage that can be done with this information, would live one asking themselves “What really happened?.” It is at this moment when you realize that information is power and one needs to protect it to the best of their capacity.
Its normally a dilemma for many on making a choice of when, where and which information to be shared out. Lets digest this further…
- Ever been in a situation where your doing online purchase and you have to give your details before you shop for anything or your filling up an online form just to get a download that is free?
- Ever gone to a building and on your way in you have to give your name, email, phone number, Identity number and signature in order to access the building and the book your recording all this information is not attended to at the security desk? and still after submitting your details at the gate you still have to give the same information at the reception area detailing where you are going to?
- Ever found yourself in a situation where you get a call from a person claiming to be from a telecom company or a bank or the government agency and they start asking you details that are meant to be private?
To just mention a few, there are people out there determined to collect your data and in any way possible make money with your data.
Now they have a new way of getting more precise and accurate data on you. It is seen to be a confirmatory gesture, but in security, it gives out your data for FREE. Its through the M-PESA confirmation pop-up (M-PESA HAKIKISHA) that lasts for 25sec. On this pop up, you get to know actual names of the person the phone number belongs to. While running on the sim toolkit, it limits the queries to just 5, but on the Safaricom App, it is limitless, allowing fraudsters to guess phone number all day and get names as per the national ID.
This feature was implemented so as to ensure people send money to the right person by seeing a pop up that showed the registered user of the sim card. The sim card registration directive was given by the Communication Authority of Kenya in 2013 for all Telcos to register sim cards to individuals and the directive was gazetted in 2015 – Kenya_Information_and_Communications_Act__Registration_of_Sim-Cards__Regulations– .
According to a GSMA white paper dated November 2013, It highlighted different pro’s and con’s of registering Sim cards and what nations should do in order to address the several issues that other countries faced. Read more. But also with the increasing number of sim-card hawking in the streets, there are even more privacy violation risk when sharing your information. Read more.
But the feature is now being misused and people are using that 25 second pop up to record names of the registered users of a specific sim card. With this information, they orchestrate a scam campaign targeting this contacts with an aim of defrauding them money or getting even more information from them.
A case example is where one gets a call from a random number and they start the conversation by;
Scammer: “Hello, this is <caller name> from <Telco name> customer care, I’m i talking to <Your real name>?”
Victim: Yes, this is him/her…
Scammer: Good day Sir/Madam, we have realized there is an issue with your line and we would like to confirm a few things from you.
If the victim falls prey to this call, they may end up getting more information than they had, and at times even get to defraud you using the mobile banking platform. At the end of the conversation – if you were not careful – is when you realize the number that called you is not legit.
Other scenarios is that you start getting so many marketing messages and spamming messages that you have not subscribed to. some of this messages include;
Some messages are more of extortion and play with the human emotions to persuade them to be send money.
The scam pyramid never ends with your information on the wrong hands. And with the recent wrangles of an inside scam happening at Safaricom, the possibilities of your data falling in the wrong hands have day to day increased. Safaricom sued for data breach.
With the new Data Protection Act 2018 in Kenya that was signed late 2019, It puts forward regulations on data protection and what different organizations would do in order to ensure data they hold is safe. The act highlights that personal identifiable data (PII) should be protected and breach of that attracts a fine to the organization.
So the big question is, Is Safaricom M-Pesa 25 seconds pop-up a data privacy violation or a security feature?
It is important that the organizations protect what is termed as PII and respects individuals privacy, but in as much as organizations do their part, its also important that you as an individual be #CyberSmart #CyberAware. Do not live your information out there anyhow, use applications like True caller to identify caller IDs, but most of all, be your own cop. There is a thin line between privacy and security.
By Michael Felix
Follow @CyberSpeakLC on Twitter and LinkedIn